CVE-2024-40852

Vulnerability

This issue resides in the Assistive Access feature of iOS and iPadOS. When the device is locked, an attacker may be able to see recent photos without authentication. The vulnerability is present in versions prior to iOS 18 and iPadOS 18, which were released on September 16, 2024 [1]. The issue was addressed by restricting options offered on a locked device.

Exploitation

An attacker must have physical access to the locked device and be able to interact with the Assistive Access interface. No additional credentials or special privileges are required beyond the ability to reach the device screen. By navigating the locked Assistive Access mode, the attacker can bypass the intended lockscreen protections to view recent photos.

Impact

Successful exploitation results in unauthorized disclosure of recent photos stored on the device. This is a confidentiality breach that exposes visual information without the user's consent. The attacker gains no other privileges or control over the device.

Mitigation

Apple fixed this vulnerability in iOS 18 and iPadOS 18, released on September 16, 2024. Users should update their devices to the latest OS versions. There are no workarounds documented apart from applying the update; the affected versions are those prior to iOS 18/iPadOS 18 [1].